test-releasefile-verification 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE"
  28. }
  29. installaptold() {
  30. testsuccessequal "Reading package lists...
  31. Building dependency tree...
  32. Suggested packages:
  33. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  34. The following NEW packages will be installed:
  35. apt
  36. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  37. After this operation, 5370 kB of additional disk space will be used.
  38. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  39. Download complete and in download only mode" aptget install apt -dy
  40. }
  41. installaptnew() {
  42. testsuccessequal "Reading package lists...
  43. Building dependency tree...
  44. Suggested packages:
  45. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  46. The following NEW packages will be installed:
  47. apt
  48. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  49. After this operation, 5808 kB of additional disk space will be used.
  50. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  51. Download complete and in download only mode" aptget install apt -dy
  52. }
  53. failaptold() {
  54. testfailureequal 'Reading package lists...
  55. Building dependency tree...
  56. Suggested packages:
  57. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  58. The following NEW packages will be installed:
  59. apt
  60. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  61. After this operation, 5370 kB of additional disk space will be used.
  62. WARNING: The following packages cannot be authenticated!
  63. apt
  64. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  65. }
  66. failaptnew() {
  67. testfailureequal 'Reading package lists...
  68. Building dependency tree...
  69. Suggested packages:
  70. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  71. The following NEW packages will be installed:
  72. apt
  73. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  74. After this operation, 5808 kB of additional disk space will be used.
  75. WARNING: The following packages cannot be authenticated!
  76. apt
  77. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  78. }
  79. # fake our downloadable file
  80. touch aptarchive/apt.deb
  81. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  82. updatewithwarnings() {
  83. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  84. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  85. }
  86. runtest() {
  87. local DELETEFILE="$1"
  88. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  89. prepare "${PKGFILE}"
  90. rm -rf rootdir/var/lib/apt/lists
  91. signreleasefiles 'Joe Sixpack'
  92. find aptarchive/ -name "$DELETEFILE" -delete
  93. successfulaptgetupdate
  94. testsuccessequal "$(cat "${PKGFILE}")
  95. " aptcache show apt
  96. installaptold
  97. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  98. prepare "${PKGFILE}-new"
  99. signreleasefiles 'Joe Sixpack'
  100. find aptarchive/ -name "$DELETEFILE" -delete
  101. successfulaptgetupdate
  102. testsuccessequal "$(cat "${PKGFILE}-new")
  103. " aptcache show apt
  104. installaptnew
  105. msgmsg 'Cold archive signed by' 'Rex Expired'
  106. prepare "${PKGFILE}"
  107. rm -rf rootdir/var/lib/apt/lists
  108. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  109. signreleasefiles 'Rex Expired'
  110. find aptarchive/ -name "$DELETEFILE" -delete
  111. updatewithwarnings '^W: .* KEYEXPIRED'
  112. testsuccessequal "$(cat "${PKGFILE}")
  113. " aptcache show apt
  114. failaptold
  115. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  116. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  117. prepare "${PKGFILE}"
  118. rm -rf rootdir/var/lib/apt/lists
  119. signreleasefiles 'Marvin Paranoid'
  120. find aptarchive/ -name "$DELETEFILE" -delete
  121. updatewithwarnings '^W: .* NO_PUBKEY'
  122. testsuccessequal "$(cat "${PKGFILE}")
  123. " aptcache show apt
  124. failaptold
  125. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  126. prepare "${PKGFILE}-new"
  127. signreleasefiles 'Joe Sixpack'
  128. find aptarchive/ -name "$DELETEFILE" -delete
  129. successfulaptgetupdate
  130. testsuccessequal "$(cat "${PKGFILE}-new")
  131. " aptcache show apt
  132. installaptnew
  133. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  134. prepare "${PKGFILE}"
  135. rm -rf rootdir/var/lib/apt/lists
  136. signreleasefiles 'Joe Sixpack'
  137. find aptarchive/ -name "$DELETEFILE" -delete
  138. successfulaptgetupdate
  139. testsuccessequal "$(cat "${PKGFILE}")
  140. " aptcache show apt
  141. installaptold
  142. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  143. prepare "${PKGFILE}-new"
  144. signreleasefiles 'Marvin Paranoid'
  145. find aptarchive/ -name "$DELETEFILE" -delete
  146. updatewithwarnings '^W: .* NO_PUBKEY'
  147. testsuccessequal "$(cat "${PKGFILE}")
  148. " aptcache show apt
  149. installaptold
  150. msgmsg 'Good warm archive signed by' 'Rex Expired'
  151. prepare "${PKGFILE}-new"
  152. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  153. signreleasefiles 'Rex Expired'
  154. find aptarchive/ -name "$DELETEFILE" -delete
  155. updatewithwarnings '^W: .* KEYEXPIRED'
  156. testsuccessequal "$(cat "${PKGFILE}")
  157. " aptcache show apt
  158. installaptold
  159. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  160. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  161. prepare "${PKGFILE}-new"
  162. signreleasefiles
  163. find aptarchive/ -name "$DELETEFILE" -delete
  164. successfulaptgetupdate
  165. testsuccessequal "$(cat "${PKGFILE}-new")
  166. " aptcache show apt
  167. installaptnew
  168. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  169. prepare "${PKGFILE}"
  170. rm -rf rootdir/var/lib/apt/lists
  171. signreleasefiles 'Marvin Paranoid'
  172. find aptarchive/ -name "$DELETEFILE" -delete
  173. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  174. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  175. successfulaptgetupdate
  176. testsuccessequal "$(cat "${PKGFILE}")
  177. " aptcache show apt
  178. installaptold
  179. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  180. rm -rf rootdir/var/lib/apt/lists
  181. signreleasefiles 'Joe Sixpack'
  182. find aptarchive/ -name "$DELETEFILE" -delete
  183. updatewithwarnings '^W: .* NO_PUBKEY'
  184. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  185. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  186. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  187. prepare "${PKGFILE}"
  188. rm -rf rootdir/var/lib/apt/lists
  189. signreleasefiles 'Marvin Paranoid'
  190. find aptarchive/ -name "$DELETEFILE" -delete
  191. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  192. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  193. successfulaptgetupdate
  194. testsuccessequal "$(cat "${PKGFILE}")
  195. " aptcache show apt
  196. installaptold
  197. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  198. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  199. rm -rf rootdir/var/lib/apt/lists
  200. signreleasefiles 'Joe Sixpack'
  201. find aptarchive/ -name "$DELETEFILE" -delete
  202. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  203. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  204. }
  205. runtest2() {
  206. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  207. prepare "${PKGFILE}"
  208. rm -rf rootdir/var/lib/apt/lists
  209. signreleasefiles 'Joe Sixpack'
  210. successfulaptgetupdate
  211. # New .deb but now an unsigned archive. For example MITM to circumvent
  212. # package verification.
  213. msgmsg 'Warm archive signed by' 'nobody'
  214. prepare "${PKGFILE}-new"
  215. find aptarchive/ -name InRelease -delete
  216. find aptarchive/ -name Release.gpg -delete
  217. updatewithwarnings 'W: .* no longer signed.'
  218. testsuccessequal "$(cat "${PKGFILE}-new")
  219. " aptcache show apt
  220. failaptnew
  221. # Unsigned archive from the beginning must also be detected.
  222. msgmsg 'Cold archive signed by' 'nobody'
  223. rm -rf rootdir/var/lib/apt/lists
  224. updatewithwarnings 'W: .* is not signed.'
  225. testsuccessequal "$(cat "${PKGFILE}-new")
  226. " aptcache show apt
  227. failaptnew
  228. }
  229. runtest3() {
  230. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  231. msgmsg "Running base test with $1 digest"
  232. runtest2
  233. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  234. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  235. runtest "$DELETEFILE"
  236. done
  237. }
  238. # diable some protection by default and ensure we still do the verification
  239. # correctly
  240. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  241. Acquire::AllowInsecureRepositories "1";
  242. Acquire::AllowDowngradeToInsecureRepositories "1";
  243. EOF
  244. # the hash marked as configureable in our gpgv method
  245. export APT_TESTS_DIGEST_ALGO='SHA224'
  246. successfulaptgetupdate() {
  247. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  248. }
  249. runtest3 'Trusted'
  250. successfulaptgetupdate() {
  251. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  252. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  253. }
  254. runtest3 'Weak'
  255. msgmsg "Running test with apt-untrusted digest"
  256. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  257. runfailure() {
  258. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  259. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  260. prepare "${PKGFILE}"
  261. rm -rf rootdir/var/lib/apt/lists
  262. signreleasefiles 'Joe Sixpack'
  263. find aptarchive/ -name "$DELETEFILE" -delete
  264. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  265. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  266. testnopackage 'apt'
  267. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  268. failaptold
  269. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  270. prepare "${PKGFILE}"
  271. rm -rf rootdir/var/lib/apt/lists
  272. signreleasefiles 'Marvin Paranoid'
  273. find aptarchive/ -name "$DELETEFILE" -delete
  274. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  275. testnopackage 'apt'
  276. updatewithwarnings '^W: .* NO_PUBKEY'
  277. testsuccessequal "$(cat "${PKGFILE}")
  278. " aptcache show apt
  279. failaptold
  280. done
  281. }
  282. runfailure
  283. msgmsg "Running test with gpgv-untrusted digest"
  284. export APT_TESTS_DIGEST_ALGO='MD5'
  285. runfailure